A blog about Cyber Security & Compliance

Month

June 2015

Vectra Networks announced the results of the second edition of its “Post-Intrusion Report”, a real-world study about threats that evade perimeter defenses and what attackers do once they get inside your network.

Report data was collected over six-months from 40 customer and prospect networks with more than 250,000 hosts, and is compared to results in last year’s report. The new report includes detections of all phases of a cyber attack and exposes trends in malware behavior, attacker communication techniques, internal reconnaissance, lateral movement, and data exfiltration.

According to the report, there was non-linear growth in lateral movement (580%) and reconnaissance (270%) detections that outpaced the 97% increase in overall detections compared to last year. These behaviors are significant as they show signs of targeted attacks that have penetrated the security perimeter.

While command-and-control communication showed the least amount of growth (6%), high-risk Tor and external remote access detections grew significantly. In the new report, Tor detections jumped by more than 1,000% compared to last year and accounted for 14% of all command-and-control traffic, while external remote access shot up by 183% over last year.

The report is the first to study hidden tunnels without decrypting SSL traffic by applying data science to network traffic.

A comparison of hidden tunnels in encrypted traffic vs. clear traffic shows that HTTPS is favored over HTTP for hidden tunnels, indicating an attacker’s preference for encryption to hide their communications.

The increase in lateral movement and reconnaissance detections shows that attempts at pulling off targeted attacks continue to be on the rise,” said Oliver Tavakoli, Vectra Networks CTO. “The attackers’ batting average hasn’t changed much, but more at-bats invariably has translated into more hits

Within the category of lateral movement detections, brute-force attacks accounted for 56%, automated replication accounted for 22% and Kerberos-based attacks accounted for 16%. Although only the third most frequent detection, Kerberos-based attacks grew non-linearly by 400% compared to last year.

Lateral-movement detections, which track the internal spread of malware and authentication-based attacks such as the use of stolen passwords, led the pack with over 34% of total detections.

Command and control detections, which identify a wide range of malicious communication techniques, were close behind with 32% of detections.

Botnet monetization detections track the various ways criminals make money from ad click-fraud, spamming behavior, and distributed denial of service (DDoS) attacks. These botnet-related behaviors accounted for 18% of all detections.

The reconnaissance category looks for internal reconnaissance performed by an attacker already inside the network and represented 13% of detections.

Exfiltration detections look for the actual theft of data. The good news here is that it was by far the least common category of detection at 3%.

The data in the Post-Intrusion Report is based on metadata from Vectra customers and prospects who opted to share detection metrics from their production networks. Vectra identifies active threats by monitoring network traffic on the wire in these environments. Internal host-to-host traffic and traffic to and from the Internet are monitored to ensure visibility and context of all phases of an attack.

Like this:

There are significant gaps in cybersecurity knowledge, shared visibility and mutual trust between those who serve on organizations’ board of directors and IT security professionals. These gaps between those responsible for corporate and cyber governance and those responsible for the day-to-day defense against threats could have damaging impacts on organizations’ cybersecurity posture, leaving them more vulnerable to attack and breaches.

This data comes from a new survey, Defining the Gap: The Cybersecurity Governance Survey, conducted by the Ponemon Institute and commissioned by Fidelis Cybersecurity.

Cybersecurity is a critical issue for boards, but many members lack the necessary knowledge to properly address the challenges and are even unaware when breaches occur. Further widening the gap, IT security professionals lack confidence in the board’s understanding of the cyber risks their organizations face, leading to a breakdown of trust and communication between the two groups.

The survey asked more than 650 board members and IT security professionals (mainly CIOs, CTOs and CISOs) for their perspectives regarding board member knowledge and involvement in cybersecurity governance.

Key findings include:

Lack of Critical Cybersecurity Knowledge at the Top

76% of boards review or approve security strategy and incident response plans, but 41% of board members admitted they lacked expertise in cybersecurity. An additional 26% said they had minimal or no knowledge of cybersecurity, making it difficult, if not impossible, for them to understand whether the practices being discussed adequately address the unique risks faced by their organization. This renders their review of strategy and plans largely ineffective.

Limited Visibility into Breach Activity

59% of board members believe their organizations’ cybersecurity governance practices are very effective, while only 18% of IT security professionals believe the same. This large gap is likely the result of the board’s lack of information about threat activity. Although cybersecurity governance is on 65% of boards’ agendas, most members are remarkably unaware if their organizations had been breached in the recent past. Specifically, 54% of IT security professionals reported a breach involving the theft of high-value information such as intellectual property within the last two years, but only 23% of board members reported the same, with 18% unsure if their organizations were breached at all.

As the breadth and severity of breaches continues to escalate, cybersecurity has increasingly become a board level issue,” said Dr. Larry Ponemon, chairman and founder of the Ponemon Institute. “The data shows that board members are very aware of cybersecurity, but there is still a lot of uncertainty and confusion. Many lack knowledge not only about security issues and risks, but even about what has transpired within their own companies, which is shocking to me. Without an understanding of the issues, it’s impossible to reasonably evaluate if strategies and response plans are effectively addressing the problem

Absence of Trust Between Boards and IT Security Professionals

The board’s lack of knowledge has created a further divide. Nearly 60% of IT security professionals believe that the board does not understand the cybersecurity risks of the organization, compared to 70% of board members who believe that they do understand the risks.

The gap in knowledge and limited visibility into breach activity means board members don’t have the information they need to make smart cybersecurity governance decisions, and IT security professionals don’t have the support, monetary or otherwise, to maintain a strong security posture,” said retired Brig. Gen. Jim Jaeger, chief cyber services strategist at Fidelis. “Board members don’t need to be cyber experts, but they should have a thorough knowledge of the risks their organization faces and be able to provide the support needed for the security teams to protect against those risks

Additional Key Findings Include:

Target breach was a watershed moment. 65% of board members and 67% of IT security professionals reported that the Target data breach had a significant impact on the board’s involvement in cybersecurity governance, while previous high profile breaches were reported to have nominal or no impact.

The SEC will drive drastically increased board involvement. The Securities & Exchange Commission (SEC) Guidelines requiring the disclosure of material security information had a significant impact in boards’ involvement, according to 46% of board members and 44% of IT security professionals. However, only 5% of board members and 2% of IT security professionals say they followed the SEC guidelines and disclosed a material security breach to shareholders. Moving forward, 72% of board members believe the SEC will make the guidelines a mandate, and 81% believe that this will increase the board’s involvement in cybersecurity governance.

Like this:

Marsh has undertaken an in-depth study into organisations’ attitudes towards the cyber threat, the management control processes they have in place, and their understanding and use of cyber insurance as a means of risk transfer. The benchmarking data in this report was collected from risk professionals and CFOs from large and medium-sized corporations from across the UK.

Spotlight on cyber risk to UK companies:

18% of organisations have a “complete understanding” of cyber risk, down on last year

4% of UK businesses have board-level oversight of cyber risk

4% of companies do not assess their suppliers and/or customers for cyber risk

Firms across the UK continue to place cyber among their leading risks in terms of the likelihood and severity of impact; however, suggest there is still a lot of work to do to improve understanding and management.

Interestingly, there has been a substantial drop in the percentage of respondents who feel they have a “complete understanding” compared to last year (down from 34% to 18%).

This comes at a time when cyber risk is being elevated as a board agenda item, suggesting that executive-level interrogation has exposed a pre-existing overconfidence in the level of knowledge and understanding within certain organisations.

If this is the case, then it is clear those tasked with creating and delivering critical management information relating to cyber risk need more help and guidance to get them to a position where the level of management information is adequate.

Cyber risk is ranked as a tier one threat according to the UK National Security Strategy, and it is therefore surprising that 26.4% of UK companies surveyed do not consider it to be material enough to even get on the risk register. Just 16.6% of companies place cyber as a Top five risk on the risk register, while the remainder place it outside of the Top 10.

73% of respondents from the manufacturing industry say that cyber risk does not appear in the Top 10 risks on their corporate risk registers, the highest proportion of industry segments we surveyed.

This is perhaps understandable due to a low level of high-profile cyber incidents within the industry; however, as a key target for industrial espionage, and with instances of industrial control technology being compromised recently reported, one could argue that the threat is being underestimated.

The fact that fewer than 31.9% of respondents have identified one or more cyber scenarios that could most affect their organisations suggests that the lack of a complete understanding and absence/low positioning of cyber on the risk register is, for many companies, filtering through to a lack of definition around specific scenarios that might impact their businesses.

Board-level ownership of cyber risk exists in 19.4% of UK organisations. While this figure is broadly in line with last year’s findings (20%), it remains very low. Meanwhile, IT departments continue to take primary responsibility for cyber risk in 55.5% of organisations. Cyber risk is increasingly recognised as a business risk rather than simply a technical control, and, within this context, it is disappointing to note that there is no material upwards movement in risk management and board functions seizing responsibility from IT (the percentage has risen incrementally to 15.3% from 14% in 2014). IT departments might know how to implement cybersecurity; however, the inability of IT to drive value for the organisation or the potential for significant damage to be caused as a result of a security breach, most certainly is a business risk, the consequences of which will be felt at the highest levels of the organisation should it occur.

Boards therefore need to take ownership of cyber risk before a cyber event forces it on to the board agenda, and communicate the identified security priorities to IT departments so that they can align their activity and resources against the business’s risk management agenda.

The percentage of firms that have experienced a cyber-attack in the past 12 months has risen to 40.3%, albeit marginally (from 31% in 2014).

However, compared with other statistics (HM Government’s 2015 Information Security Breaches Survey states that 90% of large organisations and 74% of small organisations have suffered a security breach), this figure is still low, indicating that many of the respondents to this year’s survey are either particularly fortunate or (more likely) unaware of breach events within their firms.

Interestingly, 100% of respondents in two industries, communications, media, and technology and energy reported that they had been subject to a cyber-attack in the past 12 months. This most likely reveals a more enlightened position of those organisations rather than any high level of vulnerability.

In terms of organisations that have conducted or estimated the financial impact of a cyber-attack, this year’s survey results are somewhat contradictory to earlier findings. As such, it would be reasonable to question the rigorousness of the financial analysis around those numbers and how many are in fact high-level estimates rather than worst loss values calculated from detailed information and knowledge of cyber risk and individual exposures.

61.1% of organisations have not yet made any attempt to estimate/calculate loss estimates, however, suggesting that they are operating in the dark when it comes to the financial impact upon their businesses.

This puts them in a poor position to transfer the risk or even to appreciate whether a cyber event might threaten the viability of the company. Event modelling, combined with financial stress testing, is required to evaluate both the total financial loss attaching to an event and the shorter-term availability of cash to maintain trading.

The majority of organisations have not planned for sources of funding; however, the 48.9% that have is an encouraging number. Since just 11.1% of companies are buying insurance, it must be the case that companies are bypassing the insurance market and finding alternative methods to fund the risk (from available cash lines or lines of credit or assets that can be disposed of rapidly, for example).

Possessing and rehearsing an incident response plan is recognised as having a very positive effect on the operational, financial, and reputational impact of a cyber- attack upon an organisation.

The effect for breaches of personal data was quantified in the Ponemon Institute’s 2015 Cost of Data Breach Study, which reveals that those companies with an incident response team in place typically make a GBP £9.50 saving on the per capita cost of a data breach, compared with the mean per capita cost.

Lack of control over suppliers/third parties a major concern

It is both a surprise and a huge concern that 69.4% of respondents to this year’s survey do not assess the suppliers and/or customers they trade with for cyber risk.

Suppliers and external organisations with whom system links are shared present one of the key vulnerabilities to UK companies. Businesses have done a lot to improve cybersecurity in the past 12 months; however, their exposure to third parties, whether service providers, product suppliers, customers, or, in the case of banks, borrowers, presents significant risks to companies’ networks. In addition to this, 51.4% are not asked to demonstrate a competent standard of IT security practices to their own bank and/or customers in order to do business with them.

While organisations can control their own networks, they have much less control over those of the suppliers/third parties that they might be linked to. Without the appropriate checks, this leaves them exposed and lacking control over standards of IT security in systems where hackers might find a “back door” into their organisation.

There therefore needs to be an improvement in supply-chain resilience to cyber-attack if organisations are going to reduce the threat arising from this key vulnerability. This is especially true for large organisations with a profile that attracts highly motivated and sophisticated hackers who might identify smaller business partners that are typically less well protected. For example, a recent report published by Marsh and the UK Government highlighted that 22% of small businesses admit they “don’t know where to start” with cybersecurity.

One of the most well-publicised cyber breaches in recent years occurred at a large US retail company after hackers stole network credentials from a third-party heating, ventilating, and air conditioning (HVAC) contractor that had an IT link with the victim’s corporate systems. Incidents like these are likely to rise in frequency until organisations place greater focus on setting out the basic technical controls that all suppliers/ contractors should have in place.

More than half of respondents are not asked to demonstrate a competent standard of IT security practices to their own banks and/or customers.

Take up of cyber insurance remains low

52.8% of respondents’ organisations are engaged with the insurance market in one way or another.

Marsh’s experience and earlier findings in this survey suggest that the remainder are not yet ready to approach the market as they have an incomplete understanding of the risk, as opposed to them making a conscious decision not to purchase insurance following a value-based judgment.

This latter explanation would tie in with the earlier finding that 68.1% of organisations have not identified one or more cyber scenarios that could most affect their organisations. Organisations such as these, because they have not carried out the financial assessment required are in a poor position to approach the insurance market and place a value on transferring the risk. The survey data therefore suggests that more work needs to be done by organisations and their professional advisers, including their insurance brokers, to help improve their understanding of cyber risk and their cyber exposures and demonstrate what value insurance can bring.

The insurance market continues to address the issues that represent organisations’ greatest concerns a standard cyber insurance policy can deliver cover against breach of customer information (31.9%) and business interruption (22.2%), while computer crime/fraud (12.5%) can be insured against via a comprehensive crime insurance policy. The insurance market is also making inroads to deliver meaningful cover for reputational loss (8.4%).

Of particular interest is that none of the respondents from the industrial sectors identified physical property damage as a priority risk, despite a lot of recent attention being given to the threat that exists to critical infrastructure and the potential for tampering with industrial control technology.

The findings suggest that companies recognise that cyber insurance is not a holistic solution in dealing with cyber exposure and that, in fact, it covers only certain specific events and outcomes.

Cyber exposure might attach itself to a number of different insurance policies that need to maintain an effective response when the loss or liability outcomes are created by cyber events. 48.6% of respondents admit to having “insufficient knowledge” in order to assess the insurances available, which may suggest a lack of insight into what can be insured by a cyber insurance policy. However, in view of the earlier findings, this figure might also indicate that a lack of understanding of their firm’s own risk profile places many respondents in a position where they are unable to make an informed judgment as to whether the cover is appropriate.

Cyber insurance is not a holistic solution in dealing with cyber exposure and covers only certain specific events and outcomes.

Marsh’s conclusion

Clearly, there is still a lot of work that needs to be done by UK organisations in order to improve their understanding and management of cyber risk. Achieving a high level of understanding is essential as it serves as the foundation stone upon which all other cyber risk transfer and mitigation decisions need to be made.

The solution to this lies in the boardroom, and it is still a great concern that the board takes primary responsibility for cyber risk in 19.4% of organisations surveyed. Only with board-level buy-in can companies take the big strides needed to advance their knowledge and perform the financial modelling required. Proper assessment and quantification of the risk will lead to better targeted mitigation, practical improvements in risk management, and the ability to judge the value of the risk transfer options available on the market.

One particularly interesting, and somewhat remarkable, finding to emerge from this year’s survey is 69.4% of respondents’ organisations do not assess the suppliers they trade with for cyber risk. Supply chains are proven to be a critical vulnerability in corporate IT networks, yet there appears to be too little work being done to ensure that the entities with which companies share system links are following basic good security practices.

This has to improve as, for all the proactive steps taken and money invested to harden corporate networks against cyber-attacks, a security breach at a contractor or service provider, for example, could potentially allow hackers to circumnavigate all of that.

The insurance industry can play and is already playing a role in that assurance process; however, more work needs to be done in order to move the security focus away from the edge of the corporate network and to the heart of strategic decision making.

Like this:

Tripwire have announced the results of a study on the cyber literacy challenges faced by organisations.

The study evaluated the attitudes of executives as they relate to cybersecurity risk decision-making and communication between IT security professionals, executive teams and boards. Study respondents included 101 C-level executives and directors as well as 176 IT professionals from both private and public U.K. organisations.

Despite the increasing number of successful cyberattacks against U.K. organisations, the study revealed that 54% of C-level executives at organisations within the Financial Times Stock Exchange (FTSE) 100 index believe their board is both cybersecurity literate and actively engaged in routine security. IT professionals from the same organisations are less confident in their boards cybersecurity knowledge, with 26% stating their boards only steps in when there is a serious incident.

While the results of the study point to executive confidence, they reveal the uncertainty of IT professionals. When asked if their board was “cyber literate,”29% of IT professionals either answered “no” or “not sure.” However, when C-level executives were asked the same question, 84% answered “yes.”.

There’s a big difference between cybersecurity awareness and cybersecurity literacy,” said Dwayne Melancon, chief technology officer for Tripwire. “If the vast majority of executives and boards were really literate about cybersecurity risks, then spear phishing wouldn’t work. I think these results are indicative of the growing awareness that the risks connected with cybersecurity are business critical, but it would appear the executives either don’t understand how much they have to learn about cybersecurity, or they don’t want to admit that they that they don’t fully understand the business impact of these risks

Other key findings include:

28% of IT professionals “don’t have visibility” into what the board is told about cybersecurity

47% were “not concerned” about their boards knowledge of cybersecurity.

In the event of a cyberattack, respondents would be most concerned about 62% customer data, 50% damage to brand and reputation and 40% financial damage or stock price.

35% of respondents agreed that a security breach at their own organization had the biggest impact on their boards’ cybersecurity awareness, while other respondents felt that Heartbleed (19%) had a bigger impact than the Target or Sony breach and the Snowden leaks (17% and 8%, respectively).

Most organisations are not struggling with communication tools said Melancon. They are instead struggling with finding the right vocabulary and information to accurately portray cybersecurity risk to their boards, and they are trying to find the right balance of responsibility and oversight for this critical business risk

Like this:

Skyhigh Networks released its new “Cloud Adoption & Risk in the Government Report.” The Q1 2015 report reveals that shadow IT is prevalent in government agencies.

The average public sector organization uses 742 cloud services, which is about 10-20 times more than IT departments expect. Despite the security initiatives in place, such as FedRAMP, FISMA, and FITARA, many government employees are unaware of agency rules and regulations or simply ignore them and use cloud services that drive collaboration and productivity.

As agencies grapple with how to manage shadow IT and securely enable sanctioned IT, they need visibility into the real usage and risk of cloud services as well as the ability to detect threats and seamlessly enforce security, compliance, and governance policies,” said Rajiv Gupta, CEO of Skyhigh Networks. “Skyhigh manages shadow IT and securely enables sanctioned IT, allowing public sector organizations to use hundreds of cloud services while providing robust data protection services, thereby meeting data privacy requirements and conforming to regulations

Despite clear benefits of cloud services Federal agencies are slow to migrate to the cloud due to security concerns. As a result, employees adopt cloud services on their own, creating shadow IT. Under FITARA, Federal CIOs must oversee sanctioned cloud services as well as shadow IT. This new requirement underscores the uncertainty about how employees are using cloud services within their agencies.

Understanding Shadow IT
The average public sector organization now uses 742 cloud services, which is about 10-20 times more than IT departments report. What agencies don’t know can hurt them. When asked about insider threats, just 7% of IT and IT security professionals at public sector organizations indicated their agency had experienced an insider threat. However, looking at actual anomaly data, Skyhigh Networks found that 82% of public sector organizations had behavior indicative of an insider threat.

Agencies cannot rely on the security controls offered by cloud providers alone. Analyzing more than 12,000 cloud services across more than 50 attributes of enterprise readiness developed with the Cloud Security Alliance, the report found that just 9.3% achieved the highest CloudTrust Rating of Enterprise Ready. Only 10% of cloud services encrypt data stored at rest, 15% support multi-factor authentication, and 6% have ISO 27001 certification. Skyhigh Networks helps Federal agencies address these security gaps and gain control over shadow IT by providing unparalleled visibility, comprehensive risk assessment, advanced usage and threat analytics, and seamless policy enforcement.

Password Insecurity
Compromised credentials can also mean disaster for Federal agencies. According to a study by Joseph Bonneau at the University of Cambridge, 31% of passwords are used in multiple places. This means that for 31% of compromised credentials, attackers can potentially gain access not only to all the data in that cloud service, but all the data in other cloud services as well. The average public sector employee uses more than 16 cloud services, and 37% of users upload sensitive data to cloud file sharing services. As a result, the impact of one compromised account can be immense.

The Skyhigh “Cloud Adoption & Risk in the Government Report” reveals that 96.2% of public sector organizations have users with compromised credentials and, at the average agency, 6.4% of employees have at least one compromised credential.

Cloud Services in the Public Sector
Most cloud services deployed in the public sector are collaboration tools. The average organization uses 120 distinct collaboration services, such as Microsoft Office 365, Gmail, and Cisco Webex. Other top cloud services are software development services, file sharing services, and content sharing services. The average employee uses 16.8 cloud services including 2.9 content sharing services, 2.8 collaboration service, 2.6 social media services, and 1.3 file sharing services. Shockingly, the average public sector employee’s online movements are monitored by 2.7 advertising and web analytics tracking services, the same services used by cyber criminals to inform watering hole attacks.

The report also reveals the top cloud services used in the public sector.

Like this:

RIMS, the risk management society ™ has conducted its first Cyber Survey 2015 to explore strategies implemented by risk professionals including insurance investments, exposures, cyber security ownership, government involvement, as well as identification methods and response procedures.

Responses came in from 284 of RIMS U.S. professional members in various industries, with 58% of respondents coming from organizations that produce more than $1 billion in annual revenue.

RIMS said it conducted the survey, in part, to identify methods and response procedures used by its members. As well, the organization wanted uncover strategies in place addressing areas such as insurance investments, exposures, cyber security in order to uncover strategies used by its members against cyber threats, including insurance investments, exposures, cyber security ownership and government involvement.

RIMS President Rick Roberts said that the new information is intended to give “the global risk management community valuable insight, showing how organizations are trying to stay ahead of this top concern”

Like this:

Blue Coat Systems global survey of 1580 respondents across 11 countries highlights a global trend of employees ignoring cyber risks while at work. Results from the survey found that universally, workers visit inappropriate websites while at work despite typically being fully aware of the risks to their companies.

Blue Coat’s research, conducted by independent research firm Vanson Bourne, found the actions of employees at odds with their awareness of the growing cyber threats facing the workplace. In addition, this risky behaviour can leave both sensitive corporate and personal data open to being stolen and used immediately, stored for future use, or sold into a thriving black market where compromised corporate and personal identities are traded globally.

One source of cyber threats is the practice of phishing. Cyber criminals continuously conduct extensive research on employees’ social profiles to find information that can be used to attack organizations. For example, an attacker may create a seemingly personalized email targeted at an IT administrator for a large enterprise using information found on social media profiles, such as the recipient’s alma mater or favourite sports team. That email may contain malware that is downloaded once the recipient clicks on a link included in the document.

Pornography continues to be one of the most popular methods of hiding malware or malicious content. Even though awareness is high of the threat posed by adult content sites, workers are still visiting these potentially dangerous sites.

The Blue Coat survey found that at 19%, China has the worst record for viewing adult content sites on a work device, with Mexico (10%) and the UK (9%) not far behind.

Survey Highlights

The majority of global survey participants admitted understanding the obvious cyber threats when downloading email attachments from an unknown sender, or using social media and unapproved apps from corporate networks without permission, but knowing this, did not curb their risk-taking.

Other findings include:

65% of global respondents view using a new application without the IT department’s consent as a serious cyber-security risk to the business, 26% admitted doing so.

37% of respondents in Singapore used new applications without IT’s permission, compared to 33% in the UK and 30% in India and Mexico. On the flip side, Australia and France were the lowest offenders at 14% and 16% respectively; however, any number puts businesses at risk.

Obvious behaviours such as opening emails from unverified senders still happen at work. 29% of Chinese employees open email attachments from unverified senders, even though 72% see it as a serious risk. US businesses view the threat even more seriously (80%) and open less unsolicited emails (17%).

41% use social media sites for personal reasons at work, a serious risk to businesses, as cyber criminals hide malware on shortened links and exploit encrypted traffic to deliver payloads.

6% of global respondents still admitted viewing adult content on work devices, China ranked as the worst offender with 19% employees admitting to viewing adult content at work, compared to Australia and Germany, both at 2%

While the majority of employees are aware of cyber security risks, in practice most still take chances,” said Dr. Hugh Thompson, CTO for Blue Coat. “The consumerization of IT and social media carry mixed blessings to enterprises. It is no longer realistic to prevent employees from using them, so businesses need to find ways to support these technology choices while simultaneously mitigating the security risks